New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security/acme-client: Auto Renewal of ECC certificate fails #2223
Comments
@maurice-w I need some more information to understand what's happening here. Please enable debug logging in Additionally a screenshot of the cert config ( |
OK, I think this is fixed in 3e72b0f.
|
Thanks @fraenki, I applied the patch and we'll see what happens! After a deep dive into the logs and config history, I now think that this issue affects all ECC certificates, is unrelated to OCSP Must Staple and was introduced with os-acme-client 2.x. Looking at your fix this seems plausible, would you agree? The last successful auto renewal of both certificates was on 2020-11-11, a few days before the release of 2.0. At the next auto renewal on 2021-01-11, one certificate renewed while the other one failed with the ecc parameter error. Well, so I thought. Turns out the certificate which seemed to renew actually didn't. This originally was an RSA certificate which was later switched to ECC. It has since been renewed successfully multiple times. But ( |
I fully agree. The bug caused all ECC cert renewals to fail.
Yes, we were not doing any cleanups for a pretty long time. os-acme-client version 1.25 added a removal feature, but it does not cleanup older certificate data. All "new" removals should not leave any traces anymore. (Well, there is one notable exception: the Let's Encrypt plugin will never remove a certificate from |
The fix will be released in os-acme-client 2.4. |
[+] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
[+] I have searched the existing issues and I'm convinced that mine is new.
[+] The title contains the plugin to which this issue belongs
Describe the bug
I have two ECC certificates. One of them can be renewed without issues using either Auto Renewal, the 'Issue/Renew Certificates Now’ button or the 'Issue/Renew' button in the Commands column.
The other one can only be renewed using the 'Issue/Renew' button in the Commands column. Auto Renewal as well as the 'Issue/Renew Certificates Now’ button fail with this error message:
The domain 'example.com' seems to have a ECC cert already, please add '--ecc' parameter if you want to use that cert.
The only significant difference seems to be that the one which fails to auto renew has 'OCSP Must Staple' enabled.
Does this seem plausible?
To Reproduce
See bug description.
Additional context
Forum thread: https://forum.opnsense.org/index.php?topic=21085.0
Environment
OPNsense 21.1.r_96 (amd64, OpenSSL).
os-acme-client-devel 2.3
The text was updated successfully, but these errors were encountered: